Attacks on eCommerce websites are commonplace, and date back to the very first website that offered something for sale. Traditionally these attacks were attempts to actually purchase the items for sale, using fraudulent or stolen credit cards.
With increased law enforcement these techniques have evolved and what we see most commonly today are rapid attacks, engineered to test a batch of stolen credit card numbers. Here’s how it works.
- Criminal A steals a bunch of credit cards.
- Criminal A then offers these cards for sale on the “black market” for $15-20 each.
- Criminal B buys this batch of cards but needs to test them.
- Criminal B uses software to scan for eCommerce websites
- Once a target is found, the criminal then places dozens or hundreds of rapid orders.
The goal of this attack is to validate which cards can be used for more purchases (or card resale) elsewhere. Attackers will often target websites with small dollar amounts (under $20) in order to prevent triggering fraud alerts.
What can we do?!?
There is no magic bullet to stopping these attacks but there are mitigation techniques.
- The first place to lock down is your payment gateway provider. Most major payment providers Authorize.net, Stripe offer fraud controls (like Address Verification known as AVS) that allow you to evaluate the risk of each transaction.
- CAPTCHA used to be more effective, but with the improvement in bot technology (AI) CAPTCHA systems can now be solved faster by bots! Regardless, CAPTCHA remains effective for some.
- Remove low-cost, or open-ended payment forms. As mentioned above, criminals seek low-value, high-volume transactions such as “payment forms” with no minimum.
- While not advisable for every store, limiting the rate of orders can stop these attacks. The drawback is you could limit legitimate high-volume ordering.
- Our favorite technique recently is to ask a simple question during checkout. Such as “What color is grass?” and require the user to type the word “green”. Not perfect, but as of now still effective against bots although with the advent of AI this will soon change as well!
Sadly, some attacks will still happen and if your online store is successfully attacked, the first thing you need to do is refund all fraudulent orders. Your payment gateway provider, merchant provider, and bank will work with you but may not cover all losses. Take action early!